b"                                             U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                   OFFICE OF THE INSPECTOR GENERAL\n                                                                    OFFICE OF AUDITS\n\n\n\n\n                              Final Audit Report\n\nSubject:\n\n\n AUDIT OF THE U.S. OFFICE OF PERSONNEL\n            MANAGEMENT\xe2\x80\x99S\nCOMMON SECURITY CONTROLS COLLECTION\n                 FY 2013\n\n                                     Report No. 4A-CI-00-13-036\n\n                                                          10/10/13\n                                     Date:\n\n\n\n\n                                                       --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited\nprogram. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore,\nwhile this audit report is available under the Freedom of Information Act and made available to the public on the OIG\nwebpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary\ninformation that was redacted from the publicly distributed copy.\n\x0c                                               Audit Report\n\n                          U.S. OFFICE OF PERSONNEL MANAGEMENT\n                           -------------------------------------------------------------\n\n             AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n                   COMMON SECURITY CONTROL COLLECTION\n                                          FY 2013\n                               --------------------------------\n\n                                            WASHINGTON, D.C.\n\n\n\n\n                                     Report No. 4A-IS-00-13-036\n\n\n                                     Date:               10/10/13\n\n\n\n\n                                                                        Michael R. Esser\n                                                                        Assistant Inspector General\n                                                                          for Audits\n                                                       --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited\nprogram. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore,\nwhile this audit report is available under the Freedom of Information Act and made available to the public on the OIG\nwebpage, caution needs to be exercised before releasing the report to the general public as it may contain proprietary\ninformation that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                      -------------------------------------------------------------\n\n          AUDIT OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n                COMMON SECURITY CONTROL COLLECTION\n                                       FY 2013\n                            --------------------------------\n\n                                      WASHINGTON, D.C.\n\n\n\n\n                               Report No. 4A-IS-00-13-036\n\n\n                               Date:             10/10/13\n\n\n\nThis final audit report discusses the results of our audit of the U.S. Office of Personnel\nManagement\xe2\x80\x99s (OPM) Common Security Controls Collection (CSCC). Our conclusions are\ndetailed in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report.\n\nCSCC Policies and Procedures\nWe believe that OPM\xe2\x80\x99s CSCC offers a conceptually comprehensive approach to effectively\nutilizing and testing a set of common information security controls.\n\nCSCC Implementation\nThe CSCC adequately reflects the common controls that are provided by agency-wide policies\nand by physical facilities management. However, we do not believe that the CSCC accurately\nreflects the common controls provided by the agency\xe2\x80\x99s General Support Systems (GSS).\n\n                                                   i\n\x0cUse of the CSCC\nThe owners of OPM\xe2\x80\x99s major applications residing on the GSSs labeled at least several security\ncontrols as common that were not identified as common on the CSCC. As a result, these\ncontrols were inappropriately omitted from testing by the application owner.\n\n\n\n\n                                               ii\n\x0c                                        Contents\n                                                                                         Page\n\nExecutive Summary\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6i\nIntroduction and Background\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...1\nObjectives\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.1\nScope and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...1\nCompliance with Laws and Regulations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..2\nResults\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..3\nI.     CSCC Policies and Procedures\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...3\nII.    CSCC Implementation\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa64\nIII.   Use of the CSCC\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa65\nMajor Contributors to this Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6..7\nAppendix: The Office of the Chief Information Officer\xe2\x80\x99s September 25, 2013 response to the\n          draft audit report, issued August 14, 2013\n\x0c                           Introduction and Background\nThe Office of Personnel Management (OPM) operates approximately 50 major applications that\nsupport the agency\xe2\x80\x99s mission. This includes three general support systems (GSS) that host\nseveral smaller systems that leverage the centralized hardware, software, and personnel resources\noffered by the GSS. The GSSs are owned and operated by the Office of the Chief Information\nOfficer (OCIO).\n\nThe Federal Information Security Management Act requires that all major applications be subject\nto routine security control testing. However, when a security control is provided by a GSS to all\nof the applications that it hosts (referred to as a \xe2\x80\x9ccommon\xe2\x80\x9d control), the individual application\nowners are not required to independently test this control, as that would be redundant of the\nOCIO\xe2\x80\x99s testing efforts.\n\nIn an effort to streamline the management of common controls, the OCIO created the Common\nSecurity Controls Collection (CSCC). The CSCC is intended to be a shared resource for all\nOPM security professionals and management to reduce duplicate efforts in the information\nsystem security control testing process. In addition to the common controls provided by the\nGSSs, the CSCC identifies the security controls that are addressed by agency-wide policies and\nprocedures and by facilities management and various OPM buildings.\n\nThe CSCC was formally distributed in September 2012, and has since been used by application\nowners to facilitate their systems\xe2\x80\x99 security control tests.\n\n                                         Objectives\nThe objectives of this audit were to assess the quality of the CSCC and to evaluate the\neffectiveness of its use by information system owners. These objectives were met by:\n\xe2\x80\xa2   Meeting with OCIO personnel;\n\xe2\x80\xa2   Reviewing policies and guidance regarding the use of the CSCC; and\n\xe2\x80\xa2   Testing the CSCC elements for compliance with known regulations.\n\n                                Scope and Methodology\nThis performance audit was conducted by the Office of the Inspector General (OIG) in\naccordance with Government Auditing Standards, issued by the Comptroller General of the\nUnited States. Accordingly, the audit included an evaluation of related policies and procedures,\ncompliance tests, and other auditing procedures that we considered necessary. The audit\ndocumented the controls in place for the CSCC as of July 2013.\n\nWe considered the nature of the CSCC and the internal control structure of the OCIO in planning\nour audit procedures. These procedures were mainly substantive in nature, although we did gain\nan understanding of the management procedures and controls to the extent necessary to achieve\nour audit objectives.\n\n\n\n\n                                                1\n\x0cOur audit evaluated the elements to create, attest, maintain, and utilize the CSCC. We looked at\nthe CSCC at the time of publication as well as the implementation and use of the CSCC over a\nperiod of nine months since publication. We focused our review on the controls listed as\ncommon to the agency and those of the general support systems and did not conduct a review of\nthe inherited controls or those controls attributable to physical locations.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nDetails of our audit findings and recommendations are located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this\nreport. Since our audit would not necessarily disclose all significant matters related to the\nCSCC, we do not express an opinion on the utilization of the CSCC as a whole, only the\nelements reviewed as a part of this audit.\n\nThe audit was conducted from February through October of 2013 in OPM\xe2\x80\x99s Washington, D.C.\nheadquarters building.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OPM\xe2\x80\x99s management of the\nCSCC is consistent with applicable standards. Nothing came to our attention during this review\nto indicate that OPM is in violation of relevant laws and regulations.\n\n\n\n\n                                                2\n\x0c                                          Results\nThe sections below provide a summary of our audit findings and recommendations related to the\ncreation and implementation of the CSCC.\n\nI.   CSCC Policies and Procedures\n     The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-\n     53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and Organizations,\xe2\x80\x9d\n     outlines a wide variety of information system security controls that should be implemented\n     on all major applications.\n\n     OPM has three major general support systems (GSS) that each hosts a variety of\n     independent applications supporting OPM\xe2\x80\x99s mission. Due to the shared hardware,\n     software, and personnel resources maintained for each GSS, the applications residing on a\n     GSS inherit some of the information security controls implemented from its parent system.\n     Many OPM applications also obtain security controls provided by agency-wide policies\n     and procedures and by the physical controls implemented at various OPM buildings.\n\n     In September 2012, OPM\xe2\x80\x99s OCIO published a catalog of agency-wide common security\n     controls along with a guidance document labeled \xe2\x80\x9cUse of Common Security Controls\n     Collection (CSCC).\xe2\x80\x9d The intent of the CSCC is to formally document the security controls\n     that each GSS provides to the applications that reside on that GSS. As a result, the\n     individual application owners will not have to routinely test those common security\n     controls that are provided by the GSS, as this work is performed by the GSS owners.\n\n     We reviewed the OCIO\xe2\x80\x99s common controls documentation to verify that it provided\n     OPM\xe2\x80\x99s security professionals and management adequate guidance to appropriately\n     leverage the common controls provided by a GSS.\n\n     The guide provides the following:\n      \xe2\x80\xa2     The background and purpose of the CSCC;\n      \xe2\x80\xa2     The four step CSCC process;\n      \xe2\x80\xa2     The intended use of the CSCC;\n      \xe2\x80\xa2     The validation process for common controls;\n      \xe2\x80\xa2     An explanation of the difference between common and inherited controls; and\n      \xe2\x80\xa2     Instructions for implementing the CSCC.\n\n     We believe that OPM\xe2\x80\x99s CSCC offers a conceptually comprehensive approach to effectively\n     utilizing and testing a set of common information security controls. However, the sections\n     below detail several issues we detected in the actual implementation and use of the CSCC.\n\n\n\n\n                                              3\n\x0cII.   CSCC Implementation\n      While we believe that the CSCC adequately reflects the common controls that are provided\n      by agency-wide policies and by physical facilities management, we do not believe that the\n      CSCC accurately reflects the common controls provided by the agency\xe2\x80\x99s GSSs.\n      OPM\xe2\x80\x99s OCIO contracted with the Bureau of Public Debt (BPD) to determine which\n      information security controls are \xe2\x80\x9ccommon,\xe2\x80\x9d and to also independently test these controls.\n      Although it appears that the BPD performed some test work on all of the CSCC controls,\n      we do not believe that the BPD adequately verified that each of these controls are, in fact,\n      provided to every application that resides on each GSS.\n\n      As part of this audit we independently tested a sample of common controls, and found that\n      each tested control was adequately implemented for the specific GSS hosting that control.\n      However, our interviews with the GSS owners revealed that many of the controls listed as\n      \xe2\x80\x9ccommon\xe2\x80\x9d on the CSCC are not enforced and/or available for each of the applications\n      residing on the GSS. In other words, the CSCC labels certain controls as common that\n      really should have been implemented for each individual application (referred to as system-\n      specific controls).\n\n      NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n      Systems, defines a common security control as having \xe2\x80\x9cthe following properties: [i] The\n      development, implementation, and assessment of the control can be assigned to a\n      responsible official or organizational element (other than the information system\n      owners . . . ); and [ii] The results from the assessment of the control can be used to support\n      the security certification and accreditation processes of an agency information system\n      where that control has been applied.\xe2\x80\x9d\n\n      Incorrectly labeling security controls as common increases the likelihood that these\n      controls are not properly implemented and tested at the application level, which in turn\n      increases the risk of sensitive data breaches.\n\n      Recommendation 1\n      We recommend that the OCIO meet with each GSS owner to determine which information\n      security controls are provided to every application hosted by that GSS. The GSS owners\n      should formally acknowledge this updated list of controls, and the results should be\n      published in a new CSCC.\n\n      OCIO Response:\n      \xe2\x80\x9cThe security staff will meet with General Support System providers to document and\n      discuss the recommended changes. The Common Controls Procedures and Catalog will\n      be updated and republished reflecting all changes.\n\n      The CIO agrees that in some circumstances, depending on the implementation of the\n      system and/or categorization the GSS cannot provide all the security objectives of a listed\n      Security Control in the CSCC. For the instance where the GSS (LAN/WAN) has a lower\n      categorization than the Major Application using the Security Control . . . the Assessor\n\n\n                                                  4\n\x0c       (BPD) was instructed to assess each of the control[s] at the HIGH Categorization\n       implementation, thus alleviating any issue with Major Applications with a higher\n       Categorization than that of the GSS. Some Major Applications may choose to implement\n       Security Controls and Mechanisms that superimpose, complement or enhance those\n       provided by the GSS, but these implementations are at the purview of the Major\n       Application\xe2\x80\x99s System Owner. The CIO agrees that there needs to be some collaboration\n       on the part of the System Owners and the Control Provider (GSS) to assure that the\n       controls that the System Owner is indicating as \xe2\x80\x98inherited\xe2\x80\x99 or \xe2\x80\x98hybrid\xe2\x80\x99 are applicable to\n       their implementations and available from the Control Provider.\xe2\x80\x9d\n\n       OIG Reply:\n       As part of the audit resolution process for this recommendation and all subsequent\n       recommendations to which OCIO agrees, please provide OPM\xe2\x80\x99s Internal Oversight and\n       Compliance (IOC) division with evidence supporting the corrective action taken.\n\n       Recommendation 2\n       We recommend that no OPM application rely on the general support system portion (LAN-\n       WAN, ESI, Macon) of the current version of the CSCC when performing any form of\n       security control testing. This recommendation is effective immediately, and should not be\n       closed until Recommendation 1 is completely implemented.\n\n       OCIO Response:\n       \xe2\x80\x9cThe CIO agrees that there needs to be better information relating to the assumption of\n       \xe2\x80\x98inherited\xe2\x80\x99 and/or \xe2\x80\x98hybrid\xe2\x80\x99 controls from any of the Control Providers (LAN/WAN, ESI\n       and MACON GSS). The security team will work with the GSS providers to update the\n       necessary controls.\xe2\x80\x9d\n\nIII.   Use of the CSCC\n       As stated above, the intent of the CSCC is to reduce duplicate efforts in the testing of\n       information security controls. If a security control is provided by a GSS, then the\n       applications residing on that GSS do not need to test that control.\n\n       Section II describes our concern that the CSCC does not accurately reflect the security\n       controls that are truly common to all systems residing on each GSS. That issue aside, we\n       also determined that individual application owners are not appropriately using the current\n       version of the CSCC.\n\n       The Information System Security Plan (ISSP) of each major OPM application describes the\n       security controls that are in place for that system. We examined the ISSP for each OPM\n       application that resides on a GSS, and mapped the security controls detailed in the ISSP to\n       the CSCC. Our review indicated that the owners of every one of these applications had\n       labeled at least several security controls as common that were not identified as common on\n       the CSCC. As a result, these controls were inappropriately omitted from testing by the\n       application owner.\n\n\n\n                                                  5\n\x0c     We acknowledge that there are instances when an application can inherit a control from a\n     GSS, even if that control is not a universal common control to all other applications on that\n     GSS. However, in these instances the CSCC cannot be leveraged, and the application\n     owners must work with the GSS owners to determine exactly which controls are provided\n     by the GSS. We believe that formalizing this process will reduce the risk that controls will\n     be mislabeled as common or inherited, and that every control will be tested either at the\n     GSS or application level.\n\nRecommendation 3\nOnce the new CSCC is published, we recommend that the owners of all applications residing on\na GSS update the system\xe2\x80\x99s ISSP to identify and immediately test all controls that were\npreviously mislabeled as a common control.\n\nOCIO Response:\n\xe2\x80\x9cThe CIO agrees that additional documentation and training on the use of the Common\nSecurity Controls in the CSCC should be given and that additional scrutiny of System Security\nPlans to include a review of Agency Common Controls is warranted.\n\nThe CIO will [be] republishing the CSCC to identify each Security Control, if any, that were\nincorrectly identified as Common and appropriately notify each system owner with their\nresponsibility to assess each control and update their SSP respectively.\n\nControls that were mislabeled will be included in the assessment of controls under the\nInformation Security Continuous Monitoring (ISCM) Program.\xe2\x80\x9d\n\nRecommendation 4\nWe recommend that OCIO update the CSCC procedures to require application owners to seek\nformal acknowledgement from GSS owners when inheriting security controls from that GSS that\nare not common to all other applications. This process should require the use of a template that\nis signed by the GSS owner as their acknowledgement that the controls are provided to that\napplication.\n\nOCIO Response:\n\xe2\x80\x9cThe CSCC Process currently has a process to have the Major Application verify that controls\nthat are marked as \xe2\x80\x98Inherited\xe2\x80\x99 in the CSCC must be verified with the GSS System Owner for\ntheir use. The security team will develop a template for GSS owners to acknowledge\ninheritable controls.\xe2\x80\x9d\n\n\n\n\n                                                6\n\x0c                          Major Contributors to this Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of the\nInspector General, Information Systems Audits Group. The following individuals participated in\nthe audit and the preparation of this report:\n\n     \xe2\x80\xa2   Lewis F. Parker, Deputy Assistant Inspector General for Audits\n     \xe2\x80\xa2                       Senior Team Leader\n     \xe2\x80\xa2                , Lead IT Auditor In Charge\n     \xe2\x80\xa2                  , IT Auditor\n\n\n\n\n                                              7\n\x0c                                          Appendix\n                                                                                         9/25/13\n\nMEMORANDUM FOR LEWIS F. PARKER, JR\n               DEPUTY ASSISTANT INSPECTOR GENERAL\n                FOR AUDITS\n\nFROM:                    CHARLES R. SIMPSON\n                         ACTING, CHIEF INFORMATION OFFICER\n\nSubject:                 CIO Responses to OIG Audit 4A-CI-00-13-036\n\nRecommendation 1\n\nWe recommend that the OCIO meet with each GSS owner to determine which information\nsecurity controls are provided to every application hosted by that GSS. The GSS owners should\nformally acknowledge this updated list of controls, and the results should be published in a new\nCSCC.\n\nCIO Response:\n\n   The security staff will meet with General Support System providers to document and discuss\n   the recommended changes. The Common Controls Procedures and Catalog will be updated\n   and republished reflecting all changes.\n\n   The CIO agrees that in some circumstances, depending on the implementation of the system\n   and/or categorization the GSS cannot provide all the security objectives of a listed Security\n   Control in the CSCC. For the instance where the GSS (LAN/WAN) has a lower\n   categorization than the Major Application using the Security Control. In this circumstance\n   the Assessor (BPD) was instructed to assess each of the control at the HIGH Categorization\n   implementation, thus alleviating any issue with Major Applications with a higher\n   Categorization than that of the GSS. Some Major Applications may choose to implement\n   Security Controls and Mechanisms that superimpose, complement or enhance those provided\n   by the GSS, but these implementations are at the purview of the Major Application\xe2\x80\x99s System\n   Owner. The CIO agrees that there needs to be some collaboration on the part of the System\n   Owner and the Control Provider (GSS) to assure that the controls that the System Owner is\n   indicating as \xe2\x80\x9cinherited\xe2\x80\x9d or \xe2\x80\x9chybrid\xe2\x80\x9d are applicable to their implementations and available\n   from the Control Provider.\n\nRecommendation 2\n\nWe recommend that no OPM application rely on the general support system portion (LAN-\nWAN, ESI, Macon) of the current version of the CSCC when performing any form of security\ncontrol testing. This recommendation is effective immediately, and should not be closed until\nRecommendation 1 is completely implemented.\n\n\n\n\n                                                1\n\x0cCIO Response:\n\n   The CIO agrees that there needs to be better information relating to the assumption of\n   \xe2\x80\x9cinherited\xe2\x80\x9d and/or \xe2\x80\x9chybrid\xe2\x80\x9d controls from any of the Control Providers (LAN/WAN, ESI and\n   MACON GSS). The security team will work with the GSS providers to update the necessary\n   controls.\n\nRecommendation 3\n\nOnce the new CSCC is published, we recommend that the owners of all applications residing on\na GSS update the system's ISSP to identify and immediately test all controls that were previously\nmislabeled as a common control.\n\nCIO Response:\n\n       The CIO agrees that additional documentation and training on the use of the Common\n       Security Controls in the CSCC should be given and that additional scrutiny of System\n       Security Plans to include a review of Agency Common Controls is warranted.\n\n       The CIO will republishing the CSCC to identify each Security Control, if any, that were\n       incorrectly identified as Common and appropriately notify each system owner with their\n       responsibility to assess each control and update their SSP respectively.\n\n       Controls that were mislabeled will be included in the assessment of controls under the\n       Information Security Continuous Monitoring (ISCM) Program.\n\nRecommendation 4\n\nWe recommend that OCIO updated the CSCC procedures to require application owners to seek\nformal acknowledgement from GSS owners when inheriting security controls from that GSS that\nare not common to all other applications. This process should require the use of a template that\nis signed by the GSS owner as their acknowledgement that the controls are provided to that\napplication.\n\nCIO Response:\n\n       The CSCC Process currently has a process to have the Major Application verify that\n       controls that are marked as \xe2\x80\x9cInherited\xe2\x80\x9d in the CSCC must be verified with the GSS\n       System Owner for their use. The security team will develop a template for GSS owners to\n       acknowledge inheritable controls.\n\n\n\n\n                                                2\n\x0c"